Where is risk management guidance in the revised GRC Capability Model? This is a question I’ve been hearing lately from risk professionals who are looking for where they “fit in” to GRC. The answer is everywhere.
One of the key reasons for developing version 3.0 of the OCEG GRC Capability Model (widely known as the Red Book), was to have it better demonstrate the integrated nature of risk management with setting of business objectives, running of business operations and management of requirements that impact those operations.
Risk management is pervasive, continuous and inextricably linked to every aspect of the Model and every aspect of business. Whether we are talking about ERM or day to day risk management for a given project, it’s not a “one and done” activity or task. It demands continuous learning about changes in threats and opportunities that may call for realignment of risk decisions and objectives or strategies. It also requires management actions and controls to ensure understanding and conformity to policies and procedures for activities that affect risk, as well as evaluation of the effectiveness of those actions and controls.
These activities of risk management weave throughout the practices within the four components of the GRC Capability Model (Learn, Align, Perform, and Review) By asking the following questions based on the four components of the Model, you’ll see what I mean. The answers here aren’t comprehensive, but it’s a start.
How do we LEARN what we need to know to effectively manage risk?
- Imagine and define threats to established and planned objectives and strategies and opportunities that would support them
- Assess and understand culture of the organization and parts within it, with regard to risk attitudes, appetites, and decision-making
- Consider defined risk appetites and tolerances to determine priorities for monitoring and reporting on threat and opportunity changes in the external and internal business environments
- Monitor identified threats and opportunities including impact from legal requirements
- Monitor external and internal environments for indicators of imagined threats and opportunities
- Evaluate messaging (overt and implicit) from leaders and managers about risk
- Evaluate conflicts that may exist between incentives and claimed intentions about risk
- Determine cumulative and interactive risk
How do we ALIGN risk management with our objectives and strategies?
- Define risk appetites and tolerances (and other risk decision-making criteria) for entity
- Provide guidance to set risk appetite for departments, geographies, projects, topics
- Apply defined appetites and tolerances while establishing objectives and strategies
- Assess risks for both negative potential effect on objectives/strategies and for instances where taking risk creates competitive advantage
- Determine categories and ranking of risks and design appropriate controls for each
- Determine risks that should be avoided or mitigated in other ways such as sharing or financing
- Continually consider information about key threats and opportunities and review objectives/strategies
- Define and apply actions and controls to keep risk within established appetites/tolerances
- Establish methods for continuously evaluating risk culture and identifying areas for change
- Establish methods for considering cumulative and multiplied risk levels and adjusting either management of risk or objectives/strategies
What actions and controls do we need to PERFORM and REVIEW as part of ongoing risk management?
- Establish policies and procedures for actions that affect risk profile
- Educate managers and workforce on risk decision-making criteria
- Design risk based education curriculum and plans for different workforce audiences
- Implement a variety of control types to prevent, detect and correct adverse risk events
- Ensure pathways for notification and pulling of information about threats and opportunities
- Periodically and in some cases continually review established actions and controls to ensure their design remains appropriate and they operate as designed
The devil is in the details, of course, and as you go deeper into the Red Book, from the Component to the Element to the Practice level (in Appendix A) and through a review of the Recommended Documentation (in Appendix B), you’ll see that aspects of risk management weave throughout to inform setting of objectives and strategic planning for the organization, for a department or for a project. This is essential if we are to achieve Principled Performance.